If everything is successful, you will see the echoed response from the ballerina server.

Method 2 : Adding your services to existing docker container

The Docker distribution for Ballerina is available on Docker Hub as ballerinalang/ballerina. To run a Ballerina package using the Ballerina Docker image, simply mount the folder containing the file to /ballerina/files folder inside the container. Following is how you can do this.

Sunday, July 23, 2017

In WSO2 Enterprise integrator we have proxy services. In a proxy service by default if you create a proxy service the context of the service URL will be auto generated with the name of the proxy service name, For example if you create a proxy service name "myproxy". The service URL will be like the below.

http://localhost:8290/services/myproxy

But what if you want to have a custom URI? For ecample.

http://localhost:8290/services/myproxy/idservice/1.0

Following is how you can do this.

Step 01 - Open your axis2.xml, this can be found <EI_HOME>/conf/axis2/axis2.xml

Step 02 : In the axis2xml find the phaseOrder type="InFlow" and add the following section.Add following dispatcher to the Phaseorder,

The dispatcher should be inserted in to the In-Flow at the Dispatch phase. It should be the first handler in the Dispatch phase.

Note : In axis2.xml we have different message phases. Namely (Inflow, Outflow and FaultFlow) So make sure you have added the dispatcher to the correct phase. You need to add the dispatcher to InFlow.

<phaseOrdertype="InFlow"><!-- System pre defined phases --><!--The MsgInObservation phase is used to observe messages as soon as they arereceived. In this phase, we could do some things such as SOAP message tracing & keepingtrack of the time at which a particular message was receivedNOTE: This should be the very first phase in this flow--><phasename="MsgInObservation"><handlername="TraceMessageBuilderDispatchHandler"class="org.apache.synapse.transport.passthru.util.TraceMessageBuilderDispatchHandler"/></phase><phasename="Validation"/><phasename="Transport"><handlername="RequestURIBasedDispatcher"class="org.apache.axis2.dispatchers.RequestURIBasedDispatcher"><orderphase="Transport"/></handler><handlername="CarbonContextConfigurator"class="org.wso2.carbon.mediation.initializer.handler.CarbonContextConfigurator"/><handlername="RelaySecuirtyMessageBuilderDispatchandler"class="org.apache.synapse.transport.passthru.util.RelaySecuirtyMessageBuilderDispatchandler"/><handlername="SOAPActionBasedDispatcher"class="org.apache.axis2.dispatchers.SOAPActionBasedDispatcher"><orderphase="Transport"/></handler><!--handler name="SMTPFaultHandler"class="org.wso2.carbon.core.transports.smtp.SMTPFaultHandler"><order phase="Transport"/></handler--></phase><phasename="Addressing"><handlername="AddressingBasedDispatcher"class="org.apache.axis2.dispatchers.AddressingBasedDispatcher"><orderphase="Addressing"/></handler></phase><phasename="Security"/><phasename="PreDispatch"><!--Uncomment following handler to enable logging in ESB log UI--><!--<handler name="TenantDomainSetter"--><!--class="org.wso2.carbon.utils.logging.handler.TenantDomainSetter"/>--></phase><phasename="Dispatch"class="org.apache.axis2.engine.DispatchPhase"><handlername="CustomURIBasedDispatcher"class="org.apache.synapse.core.axis2.CustomURIBasedDispatcher"/><handlername="RequestURIBasedDispatcher"class="org.apache.axis2.dispatchers.RequestURIBasedDispatcher"/><handlername="SOAPActionBasedDispatcher"class="org.apache.axis2.dispatchers.SOAPActionBasedDispatcher"/><handlername="RequestURIOperationDispatcher"class="org.apache.axis2.dispatchers.RequestURIOperationDispatcher"/><handlername="SOAPMessageBodyBasedDispatcher"class="org.apache.axis2.dispatchers.SOAPMessageBodyBasedDispatcher"/><handlername="HTTPLocationBasedDispatcher"class="org.apache.axis2.dispatchers.HTTPLocationBasedDispatcher"/><handlername="MultitenantDispatcher"class="org.wso2.carbon.tenant.dispatcher.MultitenantDispatcher"/><handlername="SynapseDispatcher"class="org.apache.synapse.core.axis2.SynapseDispatcher"/><handlername="SynapseMustUnderstandHandler"class="org.apache.synapse.core.axis2.SynapseMustUnderstandHandler"/></phase><!-- System pre defined phases --><phasename="RMPhase"/><phasename="OpPhase"/><phasename="AuthPhase"/><phasename="MUPhase"/><!-- After Postdispatch phase module author or or service author can add any phase he want --><phasename="OperationInPhase"/></phaseOrder>

Step 03 : Now restart your server and you can create the following proxy service. Note the ServiceURI parameter.

So my issue was, My URL had some special charactors. (tools$ballerina-tools) A $ character. So Bash droped this when fetching the artefact, So Jenkins was unable to find the actual resource. To solve this type of issue you can use a scape charater to skip the special character.

Friday, April 21, 2017

Server names are defined using the server_name directive and determine which server block is used for a given request. See also “How nginx processes a request”. They may be defined using exact names, wildcard names, or regular expressions:

NginX behaves in a way, such that,

Nginx first decides which server should process the request. Let’s start with a simple configuration where all three virtual servers listen on port *:80:

In the above configuration Nginx checks only the request’s header field “Host” to determine which server the request should be routed to. If its value does not match any server name, or the request does not contain this header field at all, then Nginx will route the request to the default server for this port.

Let me elaborate this with an example, If a client sends a request to www.yasassri.org or www.yasassri.net or www.yasassri.com NginX will route the messages to the corresponding server block. (If the Host header contains the Host-name) But what if client sends a message with Host Header www.abcd.com, this message doesn't match with any server names, so it shouldn't be routed anywhere Right? No that's not what really happens, the default behavior of NginX is to route this message to the default server configuration. In the configuration above, the default server is the first one — this is Nginx’s standard default behavior. It can also be set explicitly which server should be default, with the default_server parameter in the listen directive:

So what if you want to block all the calls that doesn't match with the defined server names? NginX doesn't provide a cofiguration for this, to achieve this you can simply add the following server blocks as a workaround. So the following will be your default server block.

server {
listen 80 default_server;
return 404;
}

So when ever your server name doesn't match the request will be routed to the above server block, and a 404 is sent to the client.

Wednesday, January 18, 2017

SSL can be a pain some times. Recently I was getting the following Exception continuously no-matter what ever certificate I import to the client-truststore. So it took the best out of me to debug and find-out the real issue behind this. In this post I'll explain how one can debug a SSL connection issue.

org.apache.axis2.AxisFault: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:78) at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:622) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:193) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530) at SecurityClient.runSecurityClient(SecurityClient.java:99) at SecurityClient.main(SecurityClient.java:34) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)Caused by: javax.xml.stream.XMLStreamException: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.close(XMLStreamWriterImpl.java:378) at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.close(XMLStreamWriterWrapper.java:46) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.close(MTOMXMLStreamWriter.java:188) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:844) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:74) ... 25 moreCaused by: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1509) at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1521) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191) at com.sun.xml.internal.stream.writers.UTF8OutputStreamWriter.flush(UTF8OutputStreamWriter.java:138) at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.close(XMLStreamWriterImpl.java:376) ... 29 moreCaused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) at sun.security.ssl.Handshaker.process_record(Handshaker.java:860) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191) at com.sun.xml.internal.stream.writers.UTF8OutputStreamWriter.flush(UTF8OutputStreamWriter.java:138) at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.flush(XMLStreamWriterImpl.java:397) at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.flush(XMLStreamWriterWrapper.java:50) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:198) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:842) ... 26 moreCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351) ... 41 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 47 moreorg.apache.axis2.AxisFault: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:78) at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:622) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:193) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530) at SecurityClient.runSecurityClient(SecurityClient.java:99) at SecurityClient.main(SecurityClient.java:34) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)Caused by: javax.xml.stream.XMLStreamException: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.close(XMLStreamWriterImpl.java:378) at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.close(XMLStreamWriterWrapper.java:46) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.close(MTOMXMLStreamWriter.java:188) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:844) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:74) ... 25 moreCaused by: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1509) at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1521) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191) at com.sun.xml.internal.stream.writers.UTF8OutputStreamWriter.flush(UTF8OutputStreamWriter.java:138) at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.close(XMLStreamWriterImpl.java:376) ... 29 moreCaused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) at sun.security.ssl.Handshaker.process_record(Handshaker.java:860) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191) at com.sun.xml.internal.stream.writers.UTF8OutputStreamWriter.flush(UTF8OutputStreamWriter.java:138) at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.flush(XMLStreamWriterImpl.java:397) at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.flush(XMLStreamWriterWrapper.java:50) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:198) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:842) ... 26 moreCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351) ... 41 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 47 moreException in thread "main" java.lang.NullPointerException at SecurityClient.main(SecurityClient.java:38) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)

I'm assuming that you have parsed the certificate importing step which is the most common cause for this issue. You simply need to import the servers public certificate to the Java clients trust-store. To import a certificate you can use the following keytool commnad.

Its important to know when the client is making a SSL Connection what happens.
Following image depicts the SSL handshake process.

If you haven't enabled Mutual SSL the step 4 will be skipped in SSL handshake. When the server receives a client hello the server will reply with the servers public certificate and the client will validate whether this certificate is available in the clients trust-store to make sure the client is talking with the actual server. (To avoid Man in the Middle attack). This is where the above error will be thrown. If the client is not able to find the servers certificate in the trust-store it will break the handshake and will start complaining.

So How can we debug this issue. First let make sure that your trust-store has the actual certificate. To do that you can list all the ertificates in the client-trust store.

If the certificate is not available we need to import the certificate. Also makesure you don't have multiple certificates with same CN (Common Name) if you are using wildcard certificates.

So what if you have the certificate but you are still getting this issue. So lets make sure that the Server or Load Balancer is sending the correct certificate. In my case I have a NginX server running and my client is connecting through NginX.

To check the servers certificate you can use the openssl client. Simply execute the following in your terminlal.

openssl s_client -connect wso2.com:443

If everything is working correctly your certificates CN should match the servers Host name.

What if your certificate is different????? Why and How? In my case I had a similar issue, my NginX server was sending me the wrong certificate. After debuging a lot it turn out, that my client is using SSLv2. So let me explain this further.

In my NginX configurations I have configured multiple certificates for multiple servers. So I figured-out that the NginX sending me the certificate of a different server. So Why? It turns out in older days it was not possible to add multiple certificates to same IP+PORT. In the SSL handshake level there is no way for the server to know whether you are calling foo.com or bar.com. But in later iterrations in SSL, in TLS 1.2+ there is a concept called SNI(Server Name Identifier) with SNI the client can send the servers hostname at the SSL handshake level. So since my client was using SSLv2, NginX didn't have a clue to send the correct certificate so it randomly sends the certificate which matches first. In my case it was done in alphabetical order.

So the correct fix for this is to use later SSL protocols like TLS. Or you can simply move different servers to different ports in NginX so nginX will always have a single certificate to deal with. Aother workaround is to import all the certificates to client-truststore.

In my case I moves some servers to different ports in NginX since I didn't have any control over the clients. So how can I use SNI when connecting with openssl client. You can simply use the following command for this.

openssl s_client -servername wso2.com -connect wso2.com:443

So hope this will help someone. Drop a comment if you have any queries.

Page Traffic

Blogroll

Pages

About Me

I'm a Graduate from University of Colombo School of Computing Majored in Computer Science and University College Dublin Ireland Majored in Human Resource Management. Currently I'm working as a Software Engineer in Quality Assurance.